EMStudioLegal

Data Processing Addendum

Last updated: Last updated: April 12, 2026

Summary

This Data Processing Addendum is our pre-built agreement for schools and districts. It covers GDPR Article 28 processor obligations, FERPA school-official designation, breach notification timelines, sub-processor controls, and Standard Contractual Clauses for international transfers. Ready to sign — contact us to get started.

1. Introduction

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Education Management Studio (d/b/a “EMStudio,” the “Processor”) and the school, district, or educational institution (the “School,” the “Controller”) that enters into this agreement.

This DPA establishes the terms under which EMStudio processes Student Personal Data on behalf of the School, in accordance with GDPR Article 28, FERPA, COPPA, and applicable state student privacy laws.

Ready to sign

This DPA is ready to execute. Schools can contact us at info@emstudio.pro to initiate the signing process. No negotiation is typically required — this addendum reflects our standard commitments that are already in place.

2. Definitions

  • “Student Personal Data” means any personally identifiable information relating to a student that is entered into EMStudio by the School's authorized teachers, including names, grades, attendance records, parent contact information, and behavioral notes.
  • “Controller” means the School that determines the purposes and means of processing Student Personal Data.
  • “Processor” means EMStudio, which processes Student Personal Data on behalf of the Controller.
  • “Sub-Processor” means a third party engaged by EMStudio to process Student Personal Data. The current list is maintained at /legal/sub-processors.
  • “Education Records” means records directly related to a student that are maintained by the School or by a party acting for the School, as defined under FERPA.
  • “Applicable Data Protection Law” means the GDPR, UK GDPR, FERPA, COPPA, CCPA/CPRA, and any applicable state student privacy laws.

3. Subject Matter & Duration

This DPA governs EMStudio's processing of Student Personal Data for the duration of the School's use of the EMStudio service. Processing begins when the School's authorized teachers enter Student Personal Data into EMStudio and continues until the data is returned or destroyed in accordance with Section 11.

4. Nature & Purpose of Processing

EMStudio processes Student Personal Data solely to provide the education management service as directed by the School's authorized teachers. Processing activities include:

  • Storing and organizing student records (names, grades, attendance, notes)
  • Displaying student data to the authorized teacher who entered it
  • Generating reports (grade summaries, attendance reports, report cards)
  • Enabling data export in machine-readable formats (CSV)
  • Maintaining backups for disaster recovery

EMStudio processes Student Personal Data solely on the School's written instructions, as documented in Annex A. EMStudio will not process Student Personal Data for any other purpose.

5. Types of Personal Data

The categories of Student Personal Data processed under this DPA are detailed in Annex A and include:

  • Student identifiers: first name, last name, student ID, profile photo
  • Contact information: student email, parent/guardian email, phone number, address
  • Academic records: grades, assignments, attendance, behavioral notes
  • Organizational data: class enrollment, semester, group membership
  • Teacher-uploaded files: documents and images attached to lessons or assignments that may contain student information

Categories of data subjects: students enrolled in classes managed by the School's teachers, and parents/guardians whose contact information is entered by teachers.

For a full inventory of all data EMStudio collects, see our Privacy Policy and Transparency page.

6. Controller's Obligations

The School, as Controller, is responsible for:

  • Ensuring it has a lawful basis for the processing of Student Personal Data, including obtaining any required parental consents under COPPA and applicable state laws
  • Authorizing specific teachers to use EMStudio and enter Student Personal Data
  • Providing instructions to EMStudio regarding the processing of Student Personal Data
  • Notifying parents that the School uses EMStudio, as required under the School's own notification process
  • Ensuring that Student Personal Data provided to EMStudio is accurate and up to date
  • Complying with all applicable data protection laws in relation to its use of the service

7. Processor's Commitments

EMStudio, as Processor, commits to the following obligations under GDPR Article 28(3):

7.1 Documented instructions only

EMStudio will process Student Personal Data only on the School's documented instructions, as set out in this DPA and Annex A. If EMStudio believes an instruction infringes Applicable Data Protection Law, we will promptly inform the School.

7.2 Confidentiality

All EMStudio personnel with access to Student Personal Data are subject to confidentiality obligations. Access is limited to personnel who need it to provide the service.

7.3 Security measures (Art. 32)

EMStudio implements and maintains appropriate technical and organizational measures to protect Student Personal Data, as detailed in Annex B and on our Security page.

7.4 Sub-processor conditions

EMStudio will not engage a new sub-processor without providing the School 30 days' advance notice and an opportunity to object. See Section 8 for full details.

7.5 Assistance with data subject rights (Arts. 15–22)

EMStudio will assist the School in responding to requests from data subjects (parents or eligible students) to exercise their rights under GDPR Articles 15–22, including access, rectification, erasure, and data portability. Teachers can export or delete data directly within EMStudio.

7.6 Assistance with security obligations (Arts. 32–36)

EMStudio will assist the School with its obligations under GDPR Articles 32–36, including security of processing, breach notification, data protection impact assessments (DPIAs), and prior consultation with supervisory authorities.

7.7 Deletion or return at end of services

Upon termination of the School's use of EMStudio, we will return all Student Personal Data in a portable format and permanently delete it from our systems within 30 days. See Section 11.

7.8 Audit rights

EMStudio will make available all information necessary to demonstrate compliance with this DPA and allow for audits. See Section 12.

7.9 No repurposing

EMStudio will not:

  • Process Student Personal Data for any purpose other than providing the service
  • Sell or rent Student Personal Data
  • Use Student Personal Data for advertising, marketing, or behavioral targeting
  • Use Student Personal Data to train AI models
  • Disclose Student Personal Data to third parties except as documented in Annex C

These commitments are also reflected in our 12 Privacy Commitments.

8. Sub-Processor Management

The School provides general authorization for EMStudio to engage sub-processors, subject to the following conditions:

  • Current list: The complete list of sub-processors is maintained at /legal/sub-processors and in Annex C
  • Advance notice: EMStudio will notify the School at least 30 days before engaging any new sub-processor that will process Student Personal Data
  • Objection period: The School may object to a new sub-processor within 30 days of notification. EMStudio will work to address the objection. If the objection cannot be resolved, the School may terminate this DPA.
  • Contractual controls: Each sub-processor is bound by data protection obligations no less protective than those in this DPA
  • Liability: EMStudio remains fully liable for the acts and omissions of its sub-processors

For details on what data each sub-processor receives (most never receive student data), see our Sub-Processors page.

9. Data Breach Notification

In the event of a breach of Student Personal Data, EMStudio will notify the affected parties according to the following regulation-specific timelines:

RegulationNotification RecipientTimeline
GDPR (Art. 33)Supervisory authorityWithin 72 hours of awareness (where risk to rights and freedoms exists)
This DPAThe SchoolWithin 24 hours of awareness, regardless of risk threshold
COPPAThe School (to notify parents)Prompt notification per FTC expectation
FERPAThe SchoolImmediate notification per school's direction

EMStudio's breach notification to the School will include:

  • Description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact point for further information

For our full incident response procedures, see our Security page and Privacy Policy breach response section.

10. Data Subject Rights

EMStudio will assist the School in responding to data subject requests under GDPR Articles 15–22:

  • Access & portability: Teachers can export all student data as CSV files from Settings. EMStudio can also provide exports on School request.
  • Rectification: Teachers can edit any student record directly in the app.
  • Erasure: Teachers can delete individual students, classes, or their entire account. EMStudio permanently deletes the data within 30 days.
  • Restriction: On School request, EMStudio can restrict processing of specific student data.

For parental rights under COPPA and FERPA, parents should direct requests through the School.

11. Data Return & Destruction

Upon termination of this DPA or at the School's request:

  • EMStudio will provide a complete export of all Student Personal Data in CSV format within 10 business days
  • After the School confirms receipt (or after 30 days if no confirmation), EMStudio will permanently delete all Student Personal Data from its systems and all sub-processors
  • EMStudio will certify in writing that deletion is complete
  • Copies retained solely for legal compliance (e.g., tax records for payment data) will be isolated and protected, with retention periods documented in our Privacy Policy retention schedule

12. Audit Rights

EMStudio will:

  • Make available to the School all information necessary to demonstrate compliance with this DPA and Article 28
  • Allow for and contribute to audits and inspections conducted by the School or a mandated auditor, with reasonable advance notice (at least 30 days)
  • Provide the School with copies of relevant certifications, audit reports, or compliance documentation upon request

Audits will be conducted during normal business hours, no more than once per year, and subject to reasonable confidentiality obligations. The School bears the cost of any audit it initiates.

13. International Transfers

EMStudio is operated from the United States. If the School is located in the EU, UK, or another jurisdiction that restricts international data transfers, the following mechanisms apply:

  • Standard Contractual Clauses (SCCs): Module 2 (Controller-to-Processor) of the European Commission's SCCs are incorporated by reference into this DPA and set out in Annex D
  • UK International Data Transfer Addendum: For UK Schools, the ICO's UK addendum to the SCCs is automatically activated
  • Sub-processor safeguards: Each sub-processor maintains its own transfer mechanisms as documented on our Sub-Processors page

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). See Annex B and our Security page for details.

14. Representations & Warranties

The School represents and warrants that:

  • It has obtained all necessary parental consents under COPPA and applicable state laws, or has provided direct notice under its own consent process
  • It has authority to instruct EMStudio to process Student Personal Data as described in this DPA
  • The processing instructions provided to EMStudio comply with Applicable Data Protection Law
  • It has designated EMStudio as a “school official with legitimate educational interest” under FERPA, or will do so as required

EMStudio represents and warrants that:

  • It will not process Student Personal Data for any purpose outside the documented instructions in this DPA
  • It will not sell, rent, or trade Student Personal Data
  • It will not use Student Personal Data for advertising, marketing, or behavioral targeting
  • It will not use Student Personal Data to train AI models
  • It will maintain Article 32 security measures as described in Annex B

15. Liability & Indemnification

School indemnification: The School agrees to indemnify EMStudio from claims arising from the School's failure to obtain required parental consents, or from processing instructions that violate Applicable Data Protection Law.

EMStudio indemnification: EMStudio agrees to indemnify the School from claims arising directly from EMStudio's breach of its security obligations under Annex B, or from EMStudio's unauthorized repurposing of Student Personal Data in violation of this DPA.

Liability under this DPA is subject to the limitations set out in our Terms of Service.

16. Term & Termination

This DPA takes effect when signed by both parties and remains in effect for the duration of the School's use of EMStudio. It terminates when:

  • The School's subscription or use of EMStudio ends
  • Either party terminates by written notice
  • EMStudio fails to resolve a sub-processor objection under Section 8

Sections that by their nature should survive termination will survive, including data return/destruction (Section 11), confidentiality, liability, and any obligations under Applicable Data Protection Law.

Annex A — Processing Description

Subject matterProvision of the EMStudio education management platform
DurationDuration of the School's use of EMStudio, plus 30 days for data deletion
Nature of processingCollection, storage, organization, retrieval, display, export, and deletion of Student Personal Data via the EMStudio web application
Purpose of processingTo enable teachers to manage classes, students, lessons, grades, attendance, and curriculum for educational purposes
Categories of data subjectsStudents enrolled in the School; parents/guardians whose contact information is entered by teachers
Categories of personal dataStudent names, IDs, emails, parent contacts, grades, attendance, behavioral notes, IEP/504 accommodations, teacher-uploaded files. Full list in Privacy Policy §2.
Special category dataNot intentionally collected. If teachers enter health, disability, or IEP/504 data, it is processed under the same basis with additional care. See Privacy Policy §2.

Annex B — Security Measures

EMStudio implements the following technical and organizational measures to protect Student Personal Data, in accordance with GDPR Article 32:

MeasureImplementation
Encryption in transitTLS 1.3 for all connections
Encryption at restAES-256 on all stored data (Supabase)
Access controlRow-Level Security (RLS) — each teacher can only access their own data
AuthenticationSecure auth via Supabase (email/password + OAuth with Google, Microsoft, Apple)
Rate limitingPer-user and per-IP rate limits on all sensitive operations
Content Security PolicyStrict CSP headers with violation reporting
PII scrubbingError logs and monitoring data scrubbed of personally identifiable information
AI privacy guardStudent data stripped before any data reaches AI providers
Backup & recoveryAutomated daily backups with point-in-time recovery
Soft-delete protection30-day recovery period before permanent deletion to prevent accidental data loss

For the complete description of our security practices, see our Security page.

Annex C — Sub-Processor List

The following sub-processors are authorized to process data on behalf of EMStudio. The live, always-current version is maintained at /legal/sub-processors.

VendorPurposeLocation
SupabaseDatabase, authentication, and real-time subscriptionsUnited States (AWS us-east-1)
Cloudflare R2File storage for lesson attachments, avatars, and uploadsGlobal edge network
StripePayment processing and subscription managementUnited States
OpenRouter (Google Gemini)AI-powered lesson planning assistanceUnited States
PostHogProduct analytics (consent required in EU/UK/CA)United States
Google AnalyticsMarketing analytics and conversion tracking (consent required in EU/UK/CA)United States
Kit (ConvertKit)Transactional and marketing email deliveryUnited States
VercelApplication hosting, CDN, and serverless functionsGlobal edge network

For a detailed breakdown of what student data each vendor receives, see the student data table on our Sub-Processors page.

Annex D — International Transfer Mechanisms

For transfers of Student Personal Data from the EU/UK to the United States, the following mechanisms are incorporated into this DPA by reference:

EU Standard Contractual Clauses

The European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor, adopted June 4, 2021) are incorporated by reference. The School is the “data exporter” and EMStudio is the “data importer.” The details required by the SCCs are provided in Annex A (processing description), Annex B (security measures), and Annex C (sub-processors).

UK International Data Transfer Addendum

For Schools located in the United Kingdom, the UK International Data Transfer Addendum (as approved by the ICO under S119A(1) Data Protection Act 2018) is automatically incorporated. The terms of the EU SCCs apply with the modifications specified in the UK Addendum.

Supplementary measures

In addition to the SCCs, EMStudio implements the following supplementary measures recommended by the European Data Protection Board (EDPB):

  • Encryption of all data in transit (TLS 1.3) and at rest (AES-256)
  • Strict access controls limiting data access to authorized personnel only
  • Transparency about government access requests (we have received none to date)

Related Policies